You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
_As an OPRE System Admin, I want to insure that a user can't have a valid session from two sources simultaneously to enact a better security posture.
Acceptance Criteria
For any singular user account, the originating IPv4 or IPv6 address should be tracked and if during an existing valid session, another authorization is attempted for the same user from a different IP "location", the pre-existing session should be invalidated but the new one should survive and be allowed to proceed.
(@tdonaworth updated to remove the "how")
Tasks
Make any changes necessary to track an authenticated user's IP address source location as part of active session management
Build any logic necessary to tear down the pre-existing session to meet the AC mentioned above.
Definition of Done Checklist
Usability validated
UI works as designed
OESA: Code refactored for clarity
OESA: Dependency rules followed
Automated unit tests updated and passed
Automated integration tests updated and passed
Automated quality tests updated and passed
Automated load tests updated and passed
Automated a11y tests updated and passed
Automated security tests updated and passed
90%+ Code coverage achieved
PR(s) have been merged to main
Design/tech debt eliminated
Build process updated
Documentation updated or added
Feature flags/toggles created
Additional Context & Resources
This may be superseded by or related to the control NIST 800-53 rev 5 AC-10 which requires us to have restrictions on concurrent sessions.
The text was updated successfully, but these errors were encountered:
tdonaworth
changed the title
Story: Handle multiple sessions from different source IPs
Story: Handle multiple sessions from different location
Feb 9, 2023
Updated the AC to be more generic, as the core need is to ensure we determine the source "location" of an Authentication, and maintain that. "How" we do that is for us to determine and implement, as tracking IP is generally fraught with issues; as there are other ways to determine where a request originated from, etc.
jonnalley
changed the title
Story: Handle multiple sessions from different location
Dupe: Handle multiple sessions from different location
Feb 11, 2023
User Story
_As an OPRE System Admin, I want to insure that a user can't have a valid session from two sources simultaneously to enact a better security posture.
Acceptance Criteria
the originating IPv4 or IPv6 address should be tracked andif during an existing valid session, another authorization is attempted for the same user from a differentIP"location", the pre-existing session should be invalidated but the new one should survive and be allowed to proceed.(@tdonaworth updated to remove the "how")
Tasks
IP addresssource location as part of active session managementDefinition of Done Checklist
Additional Context & Resources
The text was updated successfully, but these errors were encountered: